Posted by: David Harley | June 23, 2017

OceanLotus – a New(ish) Wave

Analysis by Palo Alto of The New and Improved macOS Backdoor from OceanLotus.  Palo Alto states that this version is targeting victims in Vietnam.

For background, an article from early 2016 by AlienVault: OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update 

David Harley

Posted by: David Harley | June 15, 2017

Fake AV and ‘Wannacry Protectors’ for Android

Gabriela Vatu for Softpedia: Hundreds of Malicious Apps Posing as Virus Scanners Found in App Stores – These virus scanners will actually do you harm

Warnings about Wannacry protectors – Wannacry doesn’t affect Android – from McAfee, and fake AV statistics from RiskIQ.

There are no direct links in the article, so I’ve included some here:

David Harley

Posted by: David Harley | June 13, 2017

MacRansom (& MacSpy)

[Updated 15th June 2017]

(MacSpy isn’t ransomware, but seems to have been developed by the same author, and both are offered as as-a-service malware.)

Zeljka Zorz for HelpNet Security: Two Mac malware-as-a-Service offerings uncovered. According to HelpNet ‘Patric Wardle’s RansomWhere? tool can also stop MacRansomware from doing any damage.’

Rommel Joven and Wayne Chin Yick Low, for Fortinet: MacRansom: Offered as Ransomware as a Service

Sophos: More evidence Mac ransomware exists

Fortinet notes that “Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file…”

AlienVault: MacSpy: OS X RAT as a Service

David Harley

Posted by: David Harley | May 8, 2017

Hacking Handbrake

A post by Graham Cluley for ESET describes how ‘A mirror download server for the popular tool HandBrake video file-transcoding app has been compromised by hackers, who replaced its Mac edition with malware.’

Malware warning for Mac users, after HandBrake mirror download server hacked

David Harley

Posted by: David Harley | March 21, 2017

More Warnings to Mac Users

You go for years thinking that hardly anyone is interested in reminding Mac users that they can be caught out by malware too, and then you get three articles at once beating the same drum, or at any rate to much the same rhythm. Yesterday, as I remarked in an earlier blog, there was a very nice article by Thomas Reed for Malwarebytes:  Mac Security Facts and Fallacies.

And today, along come a couple more. One is from the Cylance Threat Guidance Team (Threat Spotlight: Mac Malware): since it mentions me, I should say that while I’m fundamentally in agreement with the article, I have to clarify that though I was drafted into the WildList Organization to implement a Mac WildList, it didn’t (for various reasons) get beyond the planning stage. Anyway, the article seems to throw a little more light on the threat ESET calls OSX/Filecoder.E, as discussed in a blog by Marc-Etienne M.Léveillé from 22nd February  –  New crypto-ransomware hits macOS. There are some other links to information about OSX/Filecoder.E on this site: OSX/Filecoder.E Ransomware Recovery.

The other is by Bill Brenner for Sophos: Your Mac is not malware-proof: a look at the threats and defenses. Sophos believes that there is other macOS-targeting malware incoming, including ransomware.  Sophos researchers Xinran Wu is quoted as saying that ‘MacOS tends to be more a victim of nuisance programs known as potentially unwanted applications (PUA) – adware, for example.’ (Thomas Reed made much the same point in his article for Malwarebytes.) And I agree with him that apart from PUAs, the unequivocal malware that we’ve seen for OS X/macOS has tended to be targeted. However, the way it’s expressed in that article seems to imply that malware is either targeted or drive-by. And, of course, drive-by downloads are a considerable problem, but they’re not the only problem – there’s plenty of other malware (I’m talking malware in general, not Mac-specific stuff) that uses other vectors and doesn’t rely on vulnerabilities in applications. Still, there are plenty of useful links in the article.

David Harley

Posted by: David Harley | March 20, 2017

Macs, Facts and Fallacies

If you’ve followed my Mac-related writing over the past couple of decades – how are you both? – you’ll know that a lot of that writing has been about mistaken claims that Macs offer more security than they really do. A view that has earned me more abuse (from the fanboi faction, at any rate) than admiration, but nearly 30 years spent in and around  the anti-malware industry have helped me grow a pretty thick skin.

All that aside, it’s quite nice to see someone else expressing similar views occasionally: in this case, Thomas Reed, who has been writing interesting and useful articles on Mac security for a long time, recently on behalf of Malwarebytes. I have to agree with Forbes that his article Mac Security Facts and Fallacies is a “useful and informative blog post that provides a balanced view of the strengths and weaknesses of security on the Mac.”

David Harley

Posted by: David Harley | March 13, 2017

Checkpoint on pre-installed Android malware

Oren Koriat, Check Point Mobile Research Team: Preinstalled Malware Targeting Mobile Users. Malware discovered includes Slocker ransomware.

– DH

Posted by: David Harley | March 3, 2017

Eugene Kaspersky on macOS, IoT…

…and various other acronyms and ‘issues.

Kieren McCarthy, for The Register, summarizes the keynote at the Mobile World Congress by ‘security showman Eugene Kaspersky’: Apple’s macOS is the safer choice – but not for the reason you think – Eugene Kaspersky looks forward to a new darker dawn.

According to McCarthy, Kaspersky claimed that the comparatively sparse malware targeting macOS is ‘more a case of difficulty in hacker recruitment than evidence of stronger inherent security.’

David Harley

Posted by: David Harley | March 1, 2017

AV-Comparatives Android Test

This looks like a reasonably comprehensive and informative test of Android security products. The test, from AV-Comparatives, used ‘the top 1,000 most common Android malware threats of 2016’.

Android Security Test 2017 – 100+ Apps tested

Lots of mainstream products scored 100% (as they should in a test like this), and others scored near to that. So this isn’t going to tell you which of those products you should be using. (Which is fine by me: I’m not sure that the ‘editors pick’ snapshot choice between several products that are approximately level  in performance, though beloved of magazine reviews, is generally very helpful.) What it does show is a lot of products whose scores seem to be unacceptably low.

David Harley

Posted by: David Harley | March 1, 2017

OSX/Filecoder.E Ransomware Recovery

[Also posted at AVIEN: Patcher/Filezip/Filecoder – data recovery and naming. Slightly edited here.]

Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page at AVIEN but didn’t give it an article of its own there. Since there is important news (to potential victims) from Sophos and Malwarebytes, I’m repairing that omission there and also at MacVirus.

Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

David Harley

Older Posts »